---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kratos
  labels:
    name: kratos
spec:
  replicas: 1
  selector:
    matchLabels:
      name: kratos
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        name: kratos
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 10100
        seccompProfile:
          type: RuntimeDefault
      initContainers:
      - name: migrate
        args:
        - -c
        - /etc/config/kratos/kratos.yml
        - migrate
        - sql
        - -e
        - --yes
        envFrom:
        - configMapRef:
            name: pl-db-config
        env:
        - name: PL_POSTGRES_USERNAME
          valueFrom:
            secretKeyRef:
              name: pl-db-secrets
              key: PL_POSTGRES_USERNAME
        - name: PL_POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: pl-db-secrets
              key: PL_POSTGRES_PASSWORD
        - name: DSN
          # yamllint disable-line rule:line-length
          value: postgres://$(PL_POSTGRES_USERNAME):$(PL_POSTGRES_PASSWORD)@$(PL_POSTGRES_HOSTNAME):$(PL_POSTGRES_PORT)/$(PL_POSTGRES_DB)?sslmode=disable&max_conns=20&max_idle_conns=4
        imagePullPolicy: IfNotPresent
        image: oryd/kratos:v0.10.1@sha256:fdcfac3da3b64e619af553451607e1ab00160e59860bb19ec145cdc6f6f9c41d
        resources: {}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          runAsNonRoot: true
          runAsUser: 10100
          seccompProfile:
            type: RuntimeDefault
        volumeMounts:
        - mountPath: /etc/config/kratos
          name: config
      containers:
      - name: server
        args:
        - serve
        - -c
        - /etc/config/kratos/kratos.yml
        - --dev
        envFrom:
        - configMapRef:
            name: pl-db-config
        - configMapRef:
            name: pl-domain-config
        env:
        - name: PL_POSTGRES_USERNAME
          valueFrom:
            secretKeyRef:
              name: pl-db-secrets
              key: PL_POSTGRES_USERNAME
        - name: PL_POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: pl-db-secrets
              key: PL_POSTGRES_PASSWORD
        - name: DSN
          # yamllint disable-line rule:line-length
          value: postgres://$(PL_POSTGRES_USERNAME):$(PL_POSTGRES_PASSWORD)@$(PL_POSTGRES_HOSTNAME):$(PL_POSTGRES_PORT)/$(PL_POSTGRES_DB)?sslmode=disable&max_conns=20&max_idle_conns=4
        - name: SERVE_PUBLIC_TLS_CERT_PATH
          value: /certs/server.crt
        - name: SERVE_PUBLIC_TLS_KEY_PATH
          value: /certs/server.key
        - name: SERVE_ADMIN_TLS_CERT_PATH
          value: /certs/server.crt
        - name: SERVE_ADMIN_TLS_KEY_PATH
          value: /certs/server.key
        - name: LOG_LEVEL
          value: trace
        - name: PL_WORK_DOMAIN
          value: work.$(PL_DOMAIN_NAME)
        - name: PL_OAUTH_DOMAIN
          value: $(PL_WORK_DOMAIN)/oauth
        - name: FRONTEND_URL
          value: https://$(PL_WORK_DOMAIN)/auth/ossauth
        - name: ADMIN_URL
          value: https://kratos:4434
        - name: AUTH_LOGIN_URL
          value: https://$(PL_WORK_DOMAIN)/auth/password-login
        - name: SERVE_PUBLIC_BASE_URL
          value: https://$(PL_OAUTH_DOMAIN)/kratos/
        - name: SERVE_ADMIN_BASE_URL
          value: $(ADMIN_URL)/
        - name: SELFSERVICE_DEFAULT_BROWSER_RETURN_URL
          value: $(AUTH_LOGIN_URL)/
        - name: HYDRA_LOGIN_URL
          value: https://$(PL_WORK_DOMAIN)/api/auth/oauth/login
        - name: SELFSERVICE_ALLOWED_RETURN_URLS
          value: $(FRONTEND_URL)/,$(HYDRA_LOGIN_URL)
        # The settings UI is where recovery and invite links redirect when resetting password.
        # All other user settings must be changed via the Pixie API, not the self-service flow
        # because that profile information is duplicated in Kratos and the Profile service.
        - name: SELFSERVICE_FLOWS_SETTINGS_UI_URL
          value: https://$(PL_WORK_DOMAIN)/auth/password/recovery
        - name: SELFSERVICE_FLOWS_SETTINGS_AFTER_PASSWORD_DEFAULT_BROWSER_RETURN_URL
          value: https://$(PL_WORK_DOMAIN)/
        - name: SELFSERVICE_FLOWS_RECOVERY_UI_URL
          value: https://$(PL_WORK_DOMAIN)/auth/password/recovery
        - name: SELFSERVICE_FLOWS_LOGOUT_AFTER_DEFAULT_BROWSER_RETURN_URL
          value: $(AUTH_LOGIN_URL)
        - name: SELFSERVICE_FLOWS_LOGIN_UI_URL
          value: $(AUTH_LOGIN_URL)
        - name: SELFSERVICE_FLOWS_ERROR_UI_URL
          value: https://$(PL_WORK_DOMAIN)/auth/password/error
        imagePullPolicy: IfNotPresent
        image: oryd/kratos:v0.10.1@sha256:fdcfac3da3b64e619af553451607e1ab00160e59860bb19ec145cdc6f6f9c41d
        ports:
        - containerPort: 4433
        - containerPort: 4434
        resources: {}
        volumeMounts:
        - mountPath: /etc/config/kratos
          name: config
        - name: certs
          mountPath: /certs
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          runAsNonRoot: true
          runAsUser: 10100
          seccompProfile:
            type: RuntimeDefault
      - name: admin-create-if-not-exists
        imagePullPolicy: IfNotPresent
        # yamllint disable-line rule:line-length
        image: gcr.io/pixie-oss/pixie-dev-public/curl:multiarch-7.87.0@sha256:f7f265d5c64eb4463a43a99b6bf773f9e61a50aaa7cefaf564f43e42549a01dd
        # yamllint disable rule:indentation
        command: ['sh', '-c', 'set -x;
          URL="${ADMIN_URL}/admin/health/ready";
          until [ $(curl -k -m 0.5 -s -o /dev/null -w "%{http_code}" ${URL}) -eq 200 ]; do
            echo "waiting for ${URL}";
            sleep 2;
          done;
          curl -k -s -H "Content-Type: application/json"
            --data "${ADMIN_IDENTITY}" "${ADMIN_URL}/admin/identities";
          sleep infinity;
        ']
        env:
        - name: ADMIN_URL
          value: https://kratos:4434
        - name: ADMIN_IDENTITY
          value: >-
            {
              "schema_id": "default",
              "traits": {
                "email": "admin@default.com"
              },
              "credentials": {
                "password": {
                  "config": {
                    "password": "admin"
                  }
                }
              }
            }
        volumeMounts:
        - mountPath: /etc/config/kratos
          name: config
        - name: certs
          mountPath: /certs
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          runAsNonRoot: true
          runAsUser: 10100
          seccompProfile:
            type: RuntimeDefault
      restartPolicy: Always
      serviceAccountName: ""
      volumes:
      - name: config
        configMap:
          name: kratos-config
          items:
          - key: kratos.yml
            path: kratos.yml
          - key: identity.schema.json
            path: identity.schema.json
      - name: certs
        secret:
          secretName: service-tls-certs
